50 comments

[ 2.4 ms ] story [ 111 ms ] thread
I used to have my first blog ever registered through duck dns. Reused an old hp desktop a friend of mine had found for me at the nearest waste collection facility as server. A golden era for me.
Thoughts on using services like these? Especially in relation to privacy and security.

I ended up going for my own VPS with a WireGuard server for my home server to connect to.

I don’t see much issues with privacy or security with a service like this.

They don’t get traffic going through them. They mainly exist to point to an IP. With enough data they have information on how an ISP rotates IP’s and who they’ve gone to.

In your case, with a WireGuard VPS, all traffic goes through the server. That’s a very different setup.

In their case, a request goes to them at a regular interval and they update the IP the dns record points to. That’s it.

When someone requests the domain, they simply respond with an IP. At most, if there’s little caching, they could get frequency of usage.

> They don’t get traffic going through them.

A rouge DNS can reply to select queries with an IP of a middleware that can TLS proxy and/or MitM that traffic.

We built such a thing mostly for anti-censorship purposes (bypass IP blocks): https://github.com/celzero/midway#demo

I use duckdns and the only service I'm accessing through that CNAME is ssh, which checks host keys, so it doesn't have to be a problem.
wouldn’t that invalidate the cerificate?
If they control the domain, they can get a new valid certificate
There's no routing of the actual traffic, only basic DNS forwarding. Of course it's not meant for business production services, but it's decent for homelab. Especially considering for how long has DuckDNS been operating.
My biggest concern would be someone scanning CT logs to find hosts with hobbyist grade security. That’s not meant to insult hobbyists, but they might be a juicy target for immediately exploitation after a zero day hits. To be clear, it’s the same for any well known DynDNS domain.

Besides that, I looked at every DynDNS system I could find back in the summer. There were only 3 that I was happy with; Hurricane Electric, Google Domains, and a pair of self hosted Bind servers.

If you want the best, simple solution, and it doesn’t need to be completely free, register a domain with Google domains. If anyone knows of limitations, let me know.

Namecheap maxes out at 150 DynDNS hosts :-(

I prefer to use Cloudflare for my DNS including dynamic DNS. I happen to have my domains registered through them but it is not a requirement to use their free tier.
Best to pay the money for your own domain name, and find a free service to point it where you need to.

You can keep jumping to new gimmick first year deals on unusual TLDs but they are often considered spammy and always gouge on renewal pricing.

The thing I find most interesting about this post is the Reddit login deprecation.

Reddit provides an OAuth2 IdP service... but is unhappy when platforms use it? I'm genuinely curious why they provide this service if their legal team then actively chases platforms that use it to get them to desist?

https://www.duckdns.org/reddit.jsp

They want to make money out of your browsing history, they don't it to become a cost center.
They're pretty explicit in the email, the service has to be related to Reddit.

OAuth login to edit all your comments in a react CMS? OK. OAuth login to to update you server dynamic ips? Not really Reddit focused.

Really more of a failure on the API key generation page where you should (perhaps now do) have to click a "Yes, my thing extends or uses data from reddit" to get a key.

What other auth system should they have used to allow 3rd party login, that some how also handles site intent?

> What other auth system should they have used to allow 3rd party login, that some how also handles site intent?

Well, clearly the four other auth options they have don't care about what they're being used for.

(comment deleted)
Be aware that Facebook Messenger flags duckdns.org subdomains as unsafe URLs (i.e. cybercriminals using the service have tarnished its reputation).
My employer's firewall won't even let me access the site.
Note to self, host more stuff on duckdns.

I can't stand the amount that folks bend over backwards to accommodate lazy, inconsiderate middle men.

Read my think piece on my ad/pop-up riddled Medium/Substack blog!

Dynamic dns domains are used heavily by spammers as a free way to get new domains to spread links on social media sites (to evade domain bans). Typically these are fake dating site scams targeted at men. I’m dealing with this now at at one of the top social media companies.
Do they also check by CNAME? If I buy a domain and connect DuckDNS via CNAME, would filters trip on this as well?
I don't think they do. I've been using DuckDNS against my own domain CNAMEs for years.
And? Not sure what I'm supposed to take from this. Domains can be had for so cheap, the fact that it's even a consideration in the spam profile is kinda... :/.
This is not unique to duckdns. My own domains with completely innocent content get flagged as unsafe by the big gatekeepers. This is a growing problem for any of us outside their walls.
> cybercriminals using the service have tarnished its reputation

Yeah, that's the only reason I'd heard of Duck DNS before - I got some "please sign in to your bank account" text with a link and I saw the domain in the URL was duckdns.org so I looked into it. With behavior like that on their domain, I'd imagine many browsers, firewalls, etc will block them.

Wow, thanks for a reminder as to why I'd literally never use Facebook Messenger.

Somethings are actually indeed worth the friction-full conversations of "no, sorry please use (anything else) to chat with me".

Shout out to DuckDNS; Thank You! Have been using it for a few years now without a hitch!

Although its free, they accept donations via Patreon[0], Paypal etc. Running and maintaining services is not free, so if you're using DuckDNS, contributing would guarantee that the service survives into the future!

[0] https://www.patreon.com/user?u=3209735

"Sign in with Persona" - really takes me back...
Duck dns is very usefull. I use to host a demo from a CRM portal my company sold at my house.

The problem was that I had dynamic IP and my isp shit router did not suport DNS services. So I made a simple script that would log in and acess the router information page, get the public IP and update in the DUCK dns with a curl.

Worked Like a charm.

Yeah most routers come with a fixed list of services, when they really mean is a list of protocols.

I have a Huawei Fibre ONT, that only listed DynDNS, NoIP, and a few others. I could get away by using a NextDNS DNS override, and hosting my own script that forwarded the API call to the actual DDNS provider.

I currently use no-ip free tier for this. My only complaint with no-ip free is that I have to login and verify that I am still using it after a while. Does Duck DNS do this too?
They do not. Wouldn't be paying them via Patreon if they did.
> why make a free DDNS service?

> because we can, because before we started we couldn't, learning is fun

That last line about learning has the right spirit!

DuckDNS was a great aid i had in my early stages of homelabbing before I had my own domain.
Been using this for years to connect to my home WireGuard server running on RPi.
Is no one else getting SEC_ERROR_UNKNOWN_ISSUER for this site using latest Firefox? Ironic...
this is good. there should be more services to pool DNS, email addresses, and cell phone numbers. this should be a basic tool for the hacker to get around the muggle.
>ec2 server reboots, its ip address is set by the provider of that connection, this means it may update at any time

From memory, EC2 instances only get provisioned a new IP when booted from cold, not a reboot.

Also, AWS lets you ask for a static IP access (EIP) which you don't pay for so long as it is attached to something (an ec2 instance, a load balancer, etc).
An EC2 switched off can still have an EIP attached and that attachment is billed I think.
ive been using duckdns for years and years, its the best.
A few friends and I wrote a simple dynamic DNS service called ddns[1] around a 0-dependency nodejs script that manages NSD zone files. It's pretty easy to self-host an ns for your own needs. The most interesting feature it has is the ability to register an unused entry without authentication (or with an adminpassword) but update it with a password set on first registration. This allows me to bake that password into a cronjob on any given server without the risk that it can hijack DNS from other servers if it is compromised. My company now uses it (plus NSD zone transfer) to drive our DNS layer for server to server communications.

One of my friends runs a public instance here, with no guarantees offered.[2]

1: https://github.com/thingless/ddns

2: https://moreorcs.com/domain.html

Is the source of this service available somewhere?